Cruce Consulting LLC

Privacy Policy

EFFECTIVEMay 21, 2026 VERSION1.3 SUPERSEDESv1.2 (May 21, 2026)

1. Who We Are

Cruce Consulting LLC ("Cruce," "we," "us," or "our") is an artificial intelligence consulting firm organized under the laws of the State of California, United States. We design, develop, and operate AI-powered software products and services for our clients, including conversational agents, appointment scheduling systems, data processing platforms, and business automation tools. Our principal website is cruceconsulting.com.

2. Scope of This Policy

This policy describes how we collect, use, disclose, store, and protect personal information when you interact with our products, services, and websites. It covers personal information processed through our client-facing AI agents (including, but not limited to, WhatsApp-based appointment systems), our online education platform Pausa y Aprende Sobre IA, and our direct communications with website visitors and prospective clients.

3. Our Role: Data Processor and Data Controller

Cruce performs two distinct roles with respect to personal information:

As a data processor, we operate AI systems on behalf of our clients (the data controllers). For example, when we operate an appointment scheduling agent for a client organization, that organization determines the purposes and means of processing. We process personal information only as instructed by our clients and in accordance with the executed service agreement, data processing addendum (DPA), and applicable non-disclosure agreement (NDA).
As a data controller, we determine the purposes and means of processing for: (i) our online education platform Pausa y Aprende Sobre IA; (ii) our direct interactions with website visitors and prospective clients; and (iii) our own business operations and internal systems.

Where Cruce acts as a processor, the data controller's privacy notice prevails for the processing they direct.

4. Information We Collect

The specific personal information we process varies depending on the service, the client deployment, and our role as processor or controller. Across our products, the general categories of personal information we may collect or process include:

Identification data, such as full name
Contact data, such as phone number and email address
Service-specific data required to deliver the requested service. Depending on the deployment, this may include: appointment or service details (date, time, type, location); reference or case identifiers (for example, a confirmation number or tracking code); supporting information that the client deployment requires to fulfill the service; and communication content exchanged through WhatsApp, SMS, email, or other channels enabled for the deployment.
Information about dependents when provided by a parent or legal guardian for the limited purpose of scheduling services in which the dependent is a participant (for example, a minor included in a family appointment)
Account and profile data for our online education platform Pausa y Aprende Sobre IA, including credentials, enrollment records, and course progress
Technical data automatically collected when you visit our websites (IP address, browser type, timestamps, and referring URL)

The specific categories of personal information processed in any particular client deployment are determined by the client (acting as data controller) and are disclosed in the client's own privacy notice. Cruce processes such data only as instructed by the client and as set forth in the executed service agreement and data processing addendum.

Regardless of deployment, Cruce does not collect or store financial account information (credit card numbers, bank details), Social Security numbers or government identification numbers, health or medical records, driver's license numbers, biometric identifiers, or precise geolocation data, except where expressly required by a specific client engagement and governed by a separate written agreement that establishes the additional safeguards and compliance obligations applicable to such categories.

For online course payments on our education platform Pausa y Aprende Sobre IA, payments are processed directly by our third-party payment provider Stripe, Inc., which is PCI-DSS Level 1 certified (see Sections 7 and 8). Cruce receives only payment confirmation data (such as a transaction reference, amount, and status) and does not store full credit card numbers, CVV codes, or bank account details.

5. Information About Minors

Our services are not directed at children under the age of 13, and we do not knowingly collect personal information directly from children. When a parent or legal guardian provides a minor's name for the limited purpose of scheduling a service (such as a government or medical appointment), that information is collected from the responsible adult, not from the minor.

For California residents: in accordance with the California Consumer Privacy Act (CCPA/CPRA), we do not sell or share the personal information of consumers under the age of 16. We do not engage in the sale or sharing of personal information of any age group.

If you believe that personal information about a child has been submitted to us without proper parental consent, please contact us at the address in Section 19 and we will delete the information promptly.

6. How We Use Information

We use personal information for the specific, limited purposes for which it was collected:

Scheduling, confirming, modifying, and reminding users of appointments
Sending operational notifications via WhatsApp, SMS, or email
Managing waitlists and processing rescheduling requests
Generating operational reports for the client organization (where Cruce is processor)
Operating, administering, and securing our platforms
Delivering courses, processing enrollments, and issuing certificates of completion (Pausa y Aprende Sobre IA)
Responding to your inquiries and requests
Complying with legal obligations and enforcing our agreements

On AI model training. We do not use personal information, message content, or any data identifiable to an individual to train, fine-tune, or improve foundation AI models, whether ours or those of our third-party providers. Aggregated and anonymized operational metrics (such as response latency, error rates, and system uptime) may be used to monitor and improve the reliability of our internal infrastructure. Our use of third-party AI providers (including Anthropic) is subject to those providers' standard terms, which by default do not retain or use customer data to train their models.

We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising. We do not use personal information for advertising purposes.

7. Third-Party Service Providers

To operate our products and services, we rely on the following categories of third-party providers, each of whom processes personal information only as our subprocessor and under contractual data protection obligations:

Cloud infrastructure and security: Cloudflare (hosting, content delivery, web application firewall, DDoS protection)
Messaging delivery: Twilio and the WhatsApp Business API (operated by Meta Platforms, Inc.) for sending and receiving messages
AI model providers: Cruce uses a curated set of large language model providers, selected per deployment based on the requirements of the use case, output quality, and the provider's data handling commitments. Current providers include:
- Anthropic, PBC (Claude family of models) — Cruce's primary provider, selected for its safety posture and the contractual commitment that customer data submitted through the API is not used to train Anthropic models.
- OpenAI, L.L.C. (GPT family of models) — used in deployments where the use case benefits from OpenAI's capabilities, under OpenAI's API terms (which, by default, do not use API customer data to train models).
- Google LLC (Gemini family of models) — used in specific deployments that benefit from Gemini's multimodal capabilities or other features, under Google's Vertex AI / Gemini API terms.
Cruce may incorporate additional AI providers in the future where, after evaluation, they meet or exceed our standards for output quality, security posture, and data handling commitments (including non-use of customer data for model training by default). Material changes to our AI provider roster will be reflected in updates to this policy. Where additional or different AI providers are engaged for a specific client deployment, that engagement is also disclosed in the relevant client's service agreement.
Payment processing: Stripe, Inc. — processes course payments for Pausa y Aprende Sobre IA. Stripe is certified as a PCI-DSS Level 1 Service Provider. Full payment instrument data (card numbers, CVV, bank account details) is handled and stored exclusively by Stripe; Cruce receives only payment confirmation data necessary to fulfill the transaction.
Productivity and storage: Google LLC (Google Workspace, including Gmail and Google Drive) for internal communications, document storage, and business administration

Each provider is bound by its own contractual terms and privacy practices. We select providers that maintain recognized security certifications (such as SOC 2 Type II, PCI-DSS, ISO 27001, or equivalent) and that offer contractual data processing terms.

8. Pausa y Aprende Sobre IA — Online Education

Pausa y Aprende Sobre IA is our online education platform offering courses, workshops, and digital learning materials about artificial intelligence. For this platform, Cruce acts as the data controller.

We collect from students: name, email address, account credentials, course enrollment and progress, payment confirmation data (course payments are processed by Stripe, Inc.; Cruce does not store full payment card numbers, CVV codes, or bank account details — see Section 7), and any messages or assignments submitted as part of coursework.

We use this information to provide the course experience, issue certificates, communicate updates about courses you are enrolled in, and improve our educational content. We do not use student data for unrelated marketing without your separate opt-in consent.

9. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:

Encryption at rest (full-disk encryption on all production systems and storage)
Encryption in transit (TLS 1.2 or higher for all data transmission)
Hashing of sensitive identifiers (phone numbers, account numbers) using SHA-256 where appropriate
Role-based access control with per-route permissions and the principle of least privilege
Mandatory multi-factor authentication (MFA / 2FA) for all corporate accounts
Enterprise password management with periodic credential rotation
API credentials stored as encrypted secrets and never committed to source code
Web application firewall and DDoS mitigation via Cloudflare
Logging and monitoring of administrative actions on production systems

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect personal information, we cannot guarantee absolute security.

10. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Default retention periods are:

Appointment data and operational messages: thirty (30) days after the appointment is completed or cancelled, unless the client's service agreement specifies a different period.
Student data (Pausa y Aprende): for the duration of the account, plus twenty-four (24) months thereafter for academic recordkeeping (certificates issued), unless the student requests earlier deletion.
Website inquiry and business contact data: twenty-four (24) months from the last interaction.
Records required for legal or tax purposes: retained for the period required by applicable law.

When personal information is no longer needed, we either securely delete or irreversibly anonymize it.

11. Cookies and Similar Technologies

Our websites use a limited set of cookies and similar technologies:

Strictly necessary cookies required for site functionality and security (these cannot be disabled)
Analytics cookies that help us understand how visitors use the site, in aggregate and without identifying individual visitors

We do not use advertising cookies or third-party tracking pixels for behavioral advertising. You can configure your browser to refuse cookies; doing so may affect certain site features.

12. Your Rights

Subject to applicable law, you may have the right to:

Access the personal information we hold about you
Request correction of inaccurate or incomplete information
Request deletion of your information
Object to or restrict certain processing activities
Receive your information in a portable, machine-readable format
Withdraw consent at any time, where processing is based on consent
Lodge a complaint with the competent data protection authority

Where our client is the data controller, we will direct your request to them or assist them in fulfilling it, as required by our service agreement. To exercise rights directly with Cruce, contact us using the details in Section 19. We will respond within the timeframes required by applicable law (typically 45 days under CCPA/CPRA, with one permitted extension).

13. California Disclosures (CCPA / CPRA)

This section provides additional information for California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

Categories of personal information collected in the last twelve (12) months: identifiers (name, email, phone), commercial information (services scheduled or enrolled), internet activity (limited website usage), and inferences drawn from the above for service operation only.

Purposes: as described in Section 6.

Sale or sharing: we do not sell or share personal information as defined under the CCPA/CPRA, and have not done so in the preceding twelve months.

Sensitive personal information: we do not use or disclose sensitive personal information for purposes beyond those permitted by Section 7027(m) of the CCPA regulations.

California residents may exercise their rights by contacting us at the address in Section 19. We will not discriminate against any consumer for exercising their rights.

14. International Data and Mexico (LFPDPPP)

Some of our services involve processing personal information of individuals located outside the United States, including in Mexico. Where our client (data controller) is located in Mexico or processes Mexican residents' data, processing is governed primarily by the controller's own privacy notice under Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations.

For individuals who interact with Cruce directly (for example, students of Pausa y Aprende Sobre IA residing in Mexico), our corresponding Aviso de Privacidad Integral in Spanish, drafted in compliance with the LFPDPPP, is available on request and on our website's Spanish-language pages.

15. WhatsApp and Messaging Platforms

When you communicate with us through WhatsApp, your messages are subject to WhatsApp's own privacy policy and the terms of WhatsApp's Business API in addition to this policy. We receive and process message content through Meta's WhatsApp Business API by way of our messaging service provider (Twilio).

Message content is retained for the time necessary to fulfill the requested service (scheduling, confirmation, follow-up, and operational reporting to the client), and in any event no longer than the retention period specified in Section 10 or in the relevant client service agreement.

16. Data Breach Notification

In the event of a personal data breach that creates a risk to affected individuals, we will:

Notify our client (where Cruce is processor) without undue delay, in accordance with our service agreement and applicable law;
Notify affected individuals where Cruce is the controller, within the timeframe required by applicable law (no later than 72 hours after becoming aware of the breach where this requirement applies);
Notify the competent data protection authority where required (including, in California, the Attorney General under Cal. Civ. Code §1798.82, and in Mexico, the affected data subjects in accordance with Article 20 of the LFPDPPP).

17. Precedence of Client Service Agreements

Where Cruce processes personal information on behalf of a client, the specific terms of data handling, retention, security, confidentiality, and use are governed by the executed service agreement, data processing addendum, and non-disclosure agreement between Cruce and that client. In the event of any conflict between this policy and those client agreements with respect to data processed on behalf of that client, the client agreements prevail. This policy is intended to describe our general practices and to inform data subjects of their rights.

18. Changes to This Policy

We may update this policy periodically to reflect changes in our practices, legal requirements, or business operations. The "Effective" date and "Version" at the top of this document indicate the most recent revision. Where changes are material, we will provide reasonable advance notice through our website or, where appropriate, by direct notification. Continued use of our services after the effective date of any changes constitutes acceptance of the updated policy.

19. Contact Us

For privacy-related inquiries, to exercise your rights, or to report a concern, please contact:

Cruce Consulting LLC
Privacy Office
Email: privacy@cruceconsulting.com
Website: cruceconsulting.com
Jurisdiction: Los Angeles County, California, United States

For Spanish-language inquiries or LFPDPPP-related rights in Mexico, please write to privacy@cruceconsulting.com and consult our Spanish-language Aviso de Privacidad Integral.